Lawmakers Float Online Privacy Bill

Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) have released a draft of a bill that would require Web publishers and ad networks to publicly disclose when they collect data on Internet users. However, it would not require users to opt-in before firms collect data about them for advertising and commerce purposes.

Boucher, chairman of the Subcommittee on Communications, Technology and the Internet, and Stearns, ranking member of the subcommittee, are looking to strike a balance between protecting consumers while still promoting business. Though some feared sweeping government regulation would allow Web businesses to utilize consumer data only when those consumers had expressly provided permission to do so, the proposed bill puts some of the burden on Web users to protect themselves.

For example, per the bill's executive summary, the law requires a level of consumer diligence -- i.e., people concerned with their own Web privacy will have to be on the lookout for publishers privacy policies, which must be "clearly-written [and] understandable."

"Our legislation confers privacy rights on individuals, informing them of the personal information that is collected and shared about them and giving them greater control over the collection, use and sharing of that information," said Boucher.

And if individuals don't want information collected about themselves, they need to take action -- unless that information is of a highly sensitive nature, like medical records or social security numbers. "As a general rule, companies may collect information about individuals unless an individual affirmatively opts out of that collection," reads the draft.

That rule applies to individual publishers, as well as third parties like networks and ad-serving companies. However, the bill draws the line at sharing data without permission with what it calls "unaffiliated parties." Says the draft: "An individual has a reasonable expectation that a company will not share that person's information with unrelated third parties."

Those "unaffiliated parties" must receive consumers' permission to acquire their data. It is unclear at this point whether that included data exchange companies like BlueKai and eXelate. "There is a lot of nebulous and undefined territory there," said Will Margiloff, co-CEO of Innovation Interactive.

Overall, Reps. Boucher and Stearns appeared to take pains to make sure that they came across as pro data, calling Web logs (files) and cookies "necessary" for the functioning of many commercial or ad-supported Web sites. Boucher has stated previously that he recognizes the importance of data collection for the online advertising market and the e-commerce economy.

"Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure," said Boucher. "Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well-established and successful business model."

Yet Mike Zaneis, vp, public policy at the Interactive Advertising Bureau, was concerned that the bill lumped together users' personal identification information -- such as names, addresses and phone numbers -- with non-personal identifiers, such as IP addresses or cookies. His fear is that if this bill were passed as is, users might ultimately be required to opt-in to receive any form of targeted advertising that employs cookies or IP addresses-which could significantly hurt Web publishers.

"That's fundamentally different from the [Federal Trade Commission]'s approach," he said. The IAB has been working closely with the FTC over the past year or so to develop a set of privacy guidelines for the industry. "I'm worried about unintended consequence that could come from using overly broad definitions."

Margiloff shared Zaneis' fear that the bill might be too broadly targeted, but for the most part felt that it "is very much in line with some of the self-regulation principles being prepared by the industry." Except perhaps with more teeth. "The key component here is that the government is going to enforce this stuff," he said. "We're big fans of that. Otherwise, with the industry alone, how can you enforce this stuff? Is someone going to yell at me?"

Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) have released a draft of a bill that would require Web publishers and ad networks to publicly disclose when they collect data on Internet users. However, it would not require users to opt-in before firms collect data about them for advertising and commerce purposes.

Boucher, chairman of the Subcommittee on Communications, Technology and the Internet, and Stearns, ranking member of the subcommittee, are looking to strike a balance between protecting consumers while still promoting business. Though some feared sweeping government regulation would allow Web businesses to utilize consumer data only when those consumers had expressly provided permission to do so, the proposed bill puts some of the burden on Web users to protect themselves.

For example, per the bill's executive summary, the law requires a level of consumer diligence -- i.e., people concerned with their own Web privacy will have to be on the lookout for publishers privacy policies, which must be "clearly-written [and] understandable."

"Our legislation confers privacy rights on individuals, informing them of the personal information that is collected and shared about them and giving them greater control over the collection, use and sharing of that information," said Boucher.

And if individuals don't want information collected about themselves, they need to take action -- unless that information is of a highly sensitive nature, like medical records or social security numbers. "As a general rule, companies may collect information about individuals unless an individual affirmatively opts out of that collection," reads the draft.

That rule applies to individual publishers, as well as third parties like networks and ad-serving companies. However, the bill draws the line at sharing data without permission with what it calls "unaffiliated parties." Says the draft: "An individual has a reasonable expectation that a company will not share that person's information with unrelated third parties."

Those "unaffiliated parties" must receive consumers' permission to acquire their data. It is unclear at this point whether that included data exchange companies like BlueKai and eXelate. "There is a lot of nebulous and undefined territory there," said Will Margiloff, co-CEO of Innovation Interactive.

Overall, Reps. Boucher and Stearns appeared to take pains to make sure that they came across as pro data, calling Web logs (files) and cookies "necessary" for the functioning of many commercial or ad-supported Web sites. Boucher has stated previously that he recognizes the importance of data collection for the online advertising market and the e-commerce economy.

"Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure," said Boucher. "Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well-established and successful business model."

Yet Mike Zaneis, vp, public policy at the Interactive Advertising Bureau, was concerned that the bill lumped together users' personal identification information -- such as names, addresses and phone numbers -- with non-personal identifiers, such as IP addresses or cookies. His fear is that if this bill were passed as is, users might ultimately be required to opt-in to receive any form of targeted advertising that employs cookies or IP addresses-which could significantly hurt Web publishers.

"That's fundamentally different from the [Federal Trade Commission]'s approach," he said. The IAB has been working closely with the FTC over the past year or so to develop a set of privacy guidelines for the industry. "I'm worried about unintended consequence that could come from using overly broad definitions."

Margiloff shared Zaneis' fear that the bill might be too broadly targeted, but for the most part felt that it "is very much in line with some of the self-regulation principles being prepared by the industry." Except perhaps with more teeth. "The key component here is that the government is going to enforce this stuff," he said. "We're big fans of that. Otherwise, with the industry alone, how can you enforce this stuff? Is someone going to yell at me?"